使用 ws+tls1.3+nginx 模式的 v2ray 服务端部署和优化

已经连续4年使用 shadowsocks-libev 进行科学上网,终于在2020年初终于换成了 V2Ray 作为科学上网的服务端,且使用 WebSocket+TLS+Web 模式,将整个记录下来作为安装指南。以下操作全部基于 KVM 虚拟的 Debian 10 系统,重新安装的纯净系统且以 root 用户登录系统

1. 必要准备

重新安装系统

按照文章《通过网络安装全新的 Debian 10 Buster》 重新安装纯净的 Debian 10 系统,并作相关必要配置。

字符集优化

1.编辑 vi 配置文件 vi /etc/vim/vimrc.tiny
修改并增加其中2行

set nocompatible
set backspace=2

2.设置字符集 vi .vimrc
输入以下内容

set fileencodings=utf-8,gb2312,gb18030,gbk,ucs-bom,cp936,latin1
set enc=utf8
set fencs=utf8,gbk,gb2312,gb18030
set nocompatible
set backspace=2

2. 安装 V2Ray 服务端,WebSocket+TLS+Web 模式

1.使用社区维护的脚本 fhs-install-v2ray 安装

apt install build-essential -y
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)

相关文件自动安装为

installed: /usr/local/bin/v2ray
installed: /usr/local/bin/v2ctl
installed: /usr/local/share/v2ray/geoip.dat
installed: /usr/local/share/v2ray/geosite.dat
installed: /usr/local/etc/v2ray/config.json
installed: /var/log/v2ray/
installed: /var/log/v2ray/access.log
installed: /var/log/v2ray/error.log
installed: /etc/systemd/system/v2ray.service
installed: /etc/systemd/system/v2ray@.service

2.编辑配置文件:
这里使用单文件配置 vi /usr/local/etc/v2ray/config.json

3.写入以下配置文件,根据具体情况(主要有2处)自行修改:

{
    "log": {
        "access": "/var/log/v2ray/access.log",
        "error": "/var/log/v2ray/error.log",
        "loglevel": "warning"
    },
    "inbounds": [
        {
            "port": 10000,        //修改为自己需要的端口号
            "listen": "127.0.0.1",
            "protocol": "vmess",
            "settings": {
                "clients": [
                    {
                        "id": "b0fecfb3-6984-4cb0-ab84-58499efbdcdd",
                        "alterId": 0
                    }
                ]
            },
            "streamSettings": {
                "network": "ws",
                "wsSettings": {
                    "path": "/v2ray"        //修改为自己需要的目录
                }
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom"
        }
    ]
}

该配置文件,在服务端仅部署了 vmess 协议,请根据自身具体情况自行修改。

4.Nginx 配置
把配置中使用的是 domain.com域名证书 替换成自己的。

server {
  listen 80;
  listen [::]:80;
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  ssl_certificate /usr/local/nginx/conf/ssl/domain.com.crt;
  ssl_certificate_key /usr/local/nginx/conf/ssl/domain.com.key;
#  ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers on;
  ssl_session_timeout 10m;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_buffer_size 1400;

  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-XSS-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
  add_header Access-Control-Allow-Methods GET,POST,OPTIONS;

  ssl_stapling on;
  ssl_stapling_verify on;
#  ssl_trusted_certificate /usr/local/nginx/conf/ssl/root.crt;

  server_name domain.com;
  access_log /data/wwwlogs/domain.com_nginx.log combined;
  error_log /data/wwwlogs/domain.com_nginx_error.log error;
  index index.html index.php;
  root /data/wwwroot/default;
  if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
  if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; }

  location /v2ray {     //注意此处的路径和上面的配置一致
    if ($http_upgrade != "websocket") {
      return 404;
    }
    proxy_redirect off;
    proxy_pass http://127.0.0.1:10000;      //注意此处的端口和上面的配置一致
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }     

  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
    expires 30d;
    access_log off;
  }
  location ~ .*\.(js|css)?$ {
    expires 7d;
    access_log off;
  }
  location ~ /(\.user\.ini|\.ht|\.git|\.svn|\.project|LICENSE|README\.md) {
    deny all;
  }
  location /nginx_status {
    access_log off;
    allow 127.0.0.1;
    deny all;
  }
}

5.启动服务

service nginx reload
systemctl enable v2ray
systemctl start v2ray

3. 相关优化

优化内核参数

编辑 vi /etc/sysctl.conf 输入以下内容:

fs.file-max = 1024000
fs.inotify.max_user_instances = 8192
net.core.default_qdisc=fq
net.core.somaxconn = 65536
net.core.netdev_max_backlog = 65536
net.core.rmem_default = 262144
net.core.rmem_max = 67108864
net.core.wmem_default = 262144
net.core.wmem_max = 67108864
net.ipv4.ip_forward = 1
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_congestion_control = hybla
net.ipv4.tcp_congestion_control=bbr
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 7200
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_max_tw_buckets = 6000
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_sack = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_wmem = 4096 87380 67108864
net.netfilter.nf_conntrack_max = 6553500
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.nf_conntrack_max = 6553500

保存生效 sysctl -p

其中第十三行:net.ipv4.tcp_congestion_control = hybla
hybla 适用于高延迟网络(如美国,欧洲等)
htcp 适用于低延迟的网络(如日本,香港等)

开启 TCP BBR 拥塞控制算法

该算法目的是要尽量跑满带宽,并且尽量不要有排队的情况。
查看系统信息 uname -a,查看内核 uname -r

执行

echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
保存生效
sysctl -p

检查是否开启算法

sysctl net.ipv4.tcp_available_congestion_control
sysctl net.ipv4.tcp_congestion_control
sysctl net.core.default_qdisc
返回值一般为:
net.ipv4.tcp_available_congestion_control = bbr hybla cubic reno
net.ipv4.tcp_congestion_control = bbr
net.core.default_qdisc = fq

执行 lsmod | grep bbr
返回值有 tcp_bbr 模块即说明 bbr 已启动。

其他优化

1.修改 vi /etc/rc.local 文件,开机自动加载一遍内核参数
exit 0 前一行加入 sysctl -p

2.修改 vi /etc/profile 文件,加入
ulimit -SHn 1024000
然后 重启服务器 执行 ulimit -n,查询返回为 1024000 即可

3.修改 vi /etc/security/limits.conf 文件中以下内容为:

* soft nproc 1000000
* hard nproc 1000000
* soft nofile 1000000
* hard nofile 1000000
root soft nproc 1000000
root hard nproc 1000000
root soft nofile 1000000
root hard nofile 1000000

4.修改 vi /etc/pam.d/common-session 文件,加入
session required pam_limits.so

参考:下载安装, WebSocket+TLS+Web

标签: Debian

发表评论: